CVE-2026-2902

Name of the Vulnerable Software and Affected Versions WP Meteor Website Speed Optimization Addon versions prior to 3.4.17

Description Insufficient input sanitization and output escaping in the frontend rewrite() function's WPMETEOR[N]WPMETEOR placeholder content allow unauthenticated attackers to inject arbitrary web scripts. These scripts execute whenever a user accesses an affected page. This is a Stored Cross-Site Scripting issue, which occurs when an application stores malicious input on the server and later embeds it into a web page served to other users.

Recommendations Update to a version later than 3.4.16. As a temporary workaround, restrict access to the frontend rewrite() function to minimize the risk of exploitation.